SlideShare uma empresa Scribd logo

Strengthen and Scale Security Using DevSecOps - OWASP Indonesia

Mohammed A. Imran
Mohammed A. Imran

Strengthen and Scale Security Using DevSecOps - OWASP Indonesia More details here - https://www.practical-devsecops.com/

Software
1 de 44
Baixar para ler offline
Strengthen and Scale security using DevSecOps @secfigoɂ www.teachera.io secfigo@gmail.com OWASP Indonesia Meetup
2 Mohammed A. Imran Senior Security Engineer # whoami Author, Speaker and Community Leader. Speaker/Trainer at Blackhat, AppSec EU, Pycon, All Day DevOps, DevSecCon London, DevSecCon Singapore, Nullcon etc., Organizer of DevSecOps Track in OSS 2018. Project Leader for OWASP DevSecOps Studio, DevSlop, Integra and Awesome-Fuzzing projects. Organised around 100 monthly security meetings and about 50 workshops. SCJP, OSCP, OSCE. AWS-CP, AWS-CSA, AWS-SS
Agile and DevOps 1
Long Long time ago Trivia: how is this related to Singapore ?
5 Traditional SDLC Requirements Gather Requirements from the client/customer Implementation Implement the design agreed upon Maintain Maintain of the software in production Deploy Deploy the software to the production Design Design the software according to the requirements
Business Requirements Development Teams Wall of uncertainty
7 Enter the change Agile Everything changed after agile, much shorter development cycles and faster deploys to production. Speed with which changes are being made is beyond security’s (operations) 🚨 reach. Then Agile Happened
Developers Operations Wall of confusion
9 DevOps is a set of practices intended to reduce the time between committing a change to a system and the change being placed into normal production, while ensuring high quality - Bass, Weber, and Zhu DevOps Development (Software Engineering) Operations (Quality Assurance) DevOps
D 10 Plan & Create Plan and implement the code using source code management (SCM) A Monitor Create Verify Package Release Configure DevOps Verify Test and verify the code does, what business wants. B Package Package the code in a deployable artifact & test it in staging environment C Release Release the artefact as production ready after change/release approvals Configure Configure the application/ stack using configuration management E Monitor Monitor the application for its performance, security and compliance F DevOps Cycle
DevOps Security Wall of compliance
DevOps Security Wall of compliance
14 Traditional Secure SDLC
15 Security is Outnumbered! Dev / Ops / Security 100 / 10 / 1
16 DevOps is a set of practices intended to reduce the time between committing a change to a system and the change being placed into normal production, while ensuring high quality - Bass, Weber, and Zhu By definition, security is part of DevOps. DevSecOps Development (Software Engineering) Security (Quality Assurance) Operations DevSecOps
17 Flexibility With ever changing technology, businesses have to be flexible and fast to deliver value to their customers otherwise they risk losing the business. Reliability Customers need more reliable & available systems. DevOps reduces failure rates and provides faster feedback Resilience DevOps helps organisations in designing and implementing resilient systems. Automation Automation helps to reduce complexity of modern systems and can scale as per needs Speed Speed is competitive advantage and DevOps helps to go to market faster. Development Security (Quality Assurance) Operations DevSecOps DevSecOps Benefits
18 Culture DevOps is about breaking down barriers between teams; without culture other practices fail C A M S Measurement Measuring activities in CI/CD helps in informed decision making among teams Automation Often mistaken as DevOps itself but a very important aspect of the initiative. Sharing Sharing tools, best practices etc., among the teams/organization improves confidence for collaboration. How to DevSecOps ? Core Values of DevOps
Build bridges, not walls!
Build guard rails, not gates! Embed security early and often
Conway’s Law Any organization that designs a system (defined broadly) will produce a design whose structure is a copy of the organization's communication structure. “
Continuous Integration/Deployment 2
23 CI/CD CODEPLAN BUILD TEST RELEASE Deploy OPERATE Requirements Code Repository CI Server Integration Testing CD Orchestration MonitorArtefact Repository Functional req. Non Functional req. Design Code Branching Third party components Hooks Compile Basic tests Lint(analyze) Package Security Integration Performance Security Test on staging Release Schedule Configuration Inventory Infrastructure Metrics Monitoring Alerting
Agile Development Continuous Integration Continuous Delivery Continuous Deployment DevOps/DevSecOps CODEPLAN BUILD TEST RELEASE Deploy OPERATE Requirements Code Repository CI Server Integration Testing CD Orchestration MonitorArtefact Repository
Scale security with DevOps 3
26 DevSecOps Implementation So far we have looked at Principles and Ideas behind DevSecOps but how do we start implementing DevSecOps ? We can use the techniques ( see towards your right hand side) discussed in this course to implement a full blown security pipeline. Everything as Code(EAC Compliance as Code and hardening via configuration management systems Secure by Default Use secure by default frameworks and services Shift Security Left Use CI/CD pipeline to embed security Self Service Gives developers and operations visibility into security activities Security Champions Encourage security champions to pick security tasks. Use maturity models Use DevSecOps Maturity Models to improve further
1. Shift Security left Use CI/CD pipeline to embed security early on
CODEPLAN BUILD TEST RELEASE Deploy OPERATE Requirements Code Repository CI Server Integration Testing CD Orchestration MonitorArtefact Repository Functional req. Non Functional req. Design Code Branching Third party components Hooks Compile Basic tests Lint(Analyze) Package Security Integration Performance Security Test on staging Release Schedule Configuration Inventory Infrastructure Metrics Monitoring Alerting DevOps: Typical Activities
Threat Modelling ASVS Git secrets Dependency Scanning Dependency Scanning Code Analysis(SAST) Security Unit Tests Docker security Testing Git secrets scanning Component scanning ZAP testing - baseline Container Scanning Modsecurity CRS Docker/Third Party SSL scanning Nikto/dirbuster WPScan/JoomScan ZAP + selenium + python Component scanning Docker Benchmark System Hardening Application Hardening Compliance as code SOC with ELK Verify Controls CODEPLAN BUILD TEST RELEASE Deploy OPERATE Requirements Code Repository CI Server Integration Testing CD Orchestration MonitoringArtefact Repository DevOps: Typical Security Activities
2. Self Service Gives developers and operations visibility into security activities
3. Security as Code (EaC) Compliance as Code and hardening via configuration management systems
4. Secure by default Use secure by default frameworks and services
DevSecOps Maturity Model 4
DevSecOps Maturity Model (DSOMM) Source: https://www.slideshare.net/cschneider4711/hackpra-2015-security-devops-free-pentesters-time-to-focus-on-highhanging-fruits
DevSecOps Maturity Model (DSOMM) Static Depth: How deep is static code analysis ? Dynamic Depth:  How deep are dynamic scans executed ? Intensity:  How intense are the majority of the executed attacks ? Consolidation:  How complete is the process of handling findings ? Source: https://www.slideshare.net/cschneider4711/hackpra-2015-security-devops-free-pentesters-time-to-focus-on-highhanging-fruits
36 Security Tools in CI/CD 1. Anything which takes more than 10 minutes (me being optimistic), isn’t fit for CI/CD 2. SAST/DAST without creating custom rules/tweaks is of not huge benefit down the line. 3. Create separate jobs for easy debugging later. 4. Roll out tools in phases. 5. Fail builds when critical/high severity issues are found (after you have given devs/ops enough time to learn and get used to the security tools) 6. Link wiki in the scan outputs if someone needs some answers. 7. Tools which provide APIs are huge wins but make sure you at least have a CLI 8. See if your tools does incremental/baseline scans. 9. Some Ability to control the scope and false positives locally is nice (see brakeman/zap/dependency checker). 10. When in doubt ask Developers/QA for the help. 11. Everything as Code (EaC). Auditable, measurable and secure
≈ç Let’s see DevSecOps pipeline in Action DEMO
38 DevSecOps Studio is a virtual environment to learn and teach DevSecOps concepts. Its easy to get started and is mostly automatic. It takes lots of efforts to setup a DevSecOps environment for training/demos and more often, its error prone when done manually. OWASP DevSecOps Studio https://github.com/teacheraio/DevSecOps-Studio/
39 Easy to setup Takes only few mins to setup and start using with just one command A Reproducible The aim of this project is to setup reproducible DevSecOps Lab environment for learning and testing different tools. B Free & Open Source Software This project is a free and open software to help more people learn about DevSecOps C DevSecOps Studio Benefits
40 Our Setup for On-Premise GITLABDeveloper(s) > > >Gitlab CI/CD RUNNER PROD SERVER > Push Code to git repo Triggers Build Run tests Deploys to Production
41 Our Setup for On-Premise Developer(s) > > >JEnkins CI/CD JENKINS SLAVE PROD SERVER > Push Code to git repo Triggers Build Run tests Deploys to Production GITLAB
42 Python security tools Security Test Tool SAST Bandit DAST ZAP Baseline Hardening Ansible Compliance Inspec Git Secrets Trufflehog
43 Conclusion In conclusion, we don't need large sums of money to implement DevSecOps. We can use free and open source tools to showcase the benefits and value DevSecOps provides to the organization(s). Go on, embed security as part of CI/CD Everything as Code(EAC Use Configuration management (IaC) to implement Security as Code Secure by Default Use secure by default frameworks and services Shift Security Left Use CI/CD pipeline to embed security early on Self Service Give developers and operations visibility into security activities/tools Security Champions Encourage security champions to pick security tasks. Use maturity models Use DevSecOps Maturity Models to improve further
Thank you! You folks are awesome. @secfigoɂ www.teachera.io secfigo@gmail.com

Recomendados

DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
Mohamed Nizzad
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOps
Archana Joshi
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation Journey
DevOps Indonesia
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Setu Parimi
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 

Recomendados

DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
Mohamed Nizzad
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOps
Archana Joshi
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation Journey
DevOps Indonesia
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Setu Parimi
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an Introduction
Prashanth B. P.
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps Sec
Rubal Jain
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
Sonatype
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
Sonatype
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
Alert Logic
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOps
Amazon Web Services
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
Jason Suttie
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
Priyanka Aash
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
n|u - The Open Security Community
 
Integrating Security into DevOps
Integrating Security into DevOpsIntegrating Security into DevOps
Integrating Security into DevOps
CloudPassage
 
DevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security SuccessDevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security Success
Puma Security, LLC
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
MohammadSaif904342
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
Stefan Streichsbier
 
DevOps Powerpoint Presentation Slides
DevOps Powerpoint Presentation SlidesDevOps Powerpoint Presentation Slides
DevOps Powerpoint Presentation Slides
SlideTeam
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
NotSoSecure Global Services
 
How to Get Started with DevSecOps
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOps
CYBRIC
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
BATbern
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..
Siddharth Joshi
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
abhimanyubhogwan
 
Securing Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOpsSecuring Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOps
Amazon Web Services
 
Strengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessStrengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or less
Mohammed A. Imran
 
Scale security for a dollar or less
Scale security for a dollar or lessScale security for a dollar or less
Scale security for a dollar or less
Mohammed A. Imran
 

Mais conteúdo relacionado

Mais procurados

Integrating Security into DevOps
Integrating Security into DevOpsIntegrating Security into DevOps
Integrating Security into DevOps
CloudPassage
 
DevOps Powerpoint Presentation Slides
DevOps Powerpoint Presentation SlidesDevOps Powerpoint Presentation Slides
DevOps Powerpoint Presentation Slides
SlideTeam
 

Mais procurados (20)

DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an Introduction
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps Sec
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOps
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Integrating Security into DevOps
Integrating Security into DevOpsIntegrating Security into DevOps
Integrating Security into DevOps
 
DevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security SuccessDevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security Success
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
 
DevOps Powerpoint Presentation Slides
DevOps Powerpoint Presentation SlidesDevOps Powerpoint Presentation Slides
DevOps Powerpoint Presentation Slides
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
 
How to Get Started with DevSecOps
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOps
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
Securing Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOpsSecuring Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOps
 

Semelhante a Strengthen and Scale Security Using DevSecOps - OWASP Indonesia

DevSecOps: Integrating Security Into DevOps! {Business Security}
DevSecOps: Integrating Security Into DevOps! {Business Security}DevSecOps: Integrating Security Into DevOps! {Business Security}
DevSecOps: Integrating Security Into DevOps! {Business Security}
Ajeet Singh
 
Introduction to DevOps Tools | DevOps Training | DevOps Tutorial for Beginner...
Introduction to DevOps Tools | DevOps Training | DevOps Tutorial for Beginner...Introduction to DevOps Tools | DevOps Training | DevOps Tutorial for Beginner...
Introduction to DevOps Tools | DevOps Training | DevOps Tutorial for Beginner...
Edureka!
 
DevSecOps on Azure
DevSecOps on AzureDevSecOps on Azure
DevSecOps on Azure
Seven Peaks Speaks
 
DevSecOps IT Modernization Training Bootcamp for Security Staff, IT Leadership
DevSecOps IT Modernization Training Bootcamp for Security Staff, IT LeadershipDevSecOps IT Modernization Training Bootcamp for Security Staff, IT Leadership
DevSecOps IT Modernization Training Bootcamp for Security Staff, IT Leadership
Bryan Len
 
Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOpsAutomating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOps
Amazon Web Services
 
Dev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien HarisenDev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien Harisen
Nadira Bajrei
 
DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.
Techugo
 

Semelhante a Strengthen and Scale Security Using DevSecOps - OWASP Indonesia (20)

Strengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessStrengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or less
 
Scale security for a dollar or less
Scale security for a dollar or lessScale security for a dollar or less
Scale security for a dollar or less
 
DevSecOps: Integrating Security Into DevOps! {Business Security}
DevSecOps: Integrating Security Into DevOps! {Business Security}DevSecOps: Integrating Security Into DevOps! {Business Security}
DevSecOps: Integrating Security Into DevOps! {Business Security}
 
Introduction to DevOps Tools | DevOps Training | DevOps Tutorial for Beginner...
Introduction to DevOps Tools | DevOps Training | DevOps Tutorial for Beginner...Introduction to DevOps Tools | DevOps Training | DevOps Tutorial for Beginner...
Introduction to DevOps Tools | DevOps Training | DevOps Tutorial for Beginner...
 
Why DevSecOps Is Necessary For Your SDLC Pipeline?
Why DevSecOps Is Necessary For Your SDLC Pipeline?Why DevSecOps Is Necessary For Your SDLC Pipeline?
Why DevSecOps Is Necessary For Your SDLC Pipeline?
 
Introduction to DevOps in Cloud Computing.pptx
Introduction to DevOps in Cloud Computing.pptxIntroduction to DevOps in Cloud Computing.pptx
Introduction to DevOps in Cloud Computing.pptx
 
DevSecOps Implement Making Security Central to Your DevOps Pipeline
DevSecOps Implement Making Security Central to Your DevOps PipelineDevSecOps Implement Making Security Central to Your DevOps Pipeline
DevSecOps Implement Making Security Central to Your DevOps Pipeline
 
DevSecOps on Azure
DevSecOps on AzureDevSecOps on Azure
DevSecOps on Azure
 
Introduction to DevOps
Introduction to DevOpsIntroduction to DevOps
Introduction to DevOps
 
DevSecOps IT Modernization Training Bootcamp for Security Staff, IT Leadership
DevSecOps IT Modernization Training Bootcamp for Security Staff, IT LeadershipDevSecOps IT Modernization Training Bootcamp for Security Staff, IT Leadership
DevSecOps IT Modernization Training Bootcamp for Security Staff, IT Leadership
 
Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOpsAutomating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOps
 
DevSecOps: Integrating Security Into Your SDLC
DevSecOps: Integrating Security Into Your SDLCDevSecOps: Integrating Security Into Your SDLC
DevSecOps: Integrating Security Into Your SDLC
 
Introduction to dev ops
Introduction to dev opsIntroduction to dev ops
Introduction to dev ops
 
DevOps and Devsecops- Everything you need to know.
DevOps and Devsecops- Everything you need to know.DevOps and Devsecops- Everything you need to know.
DevOps and Devsecops- Everything you need to know.
 
Dev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien HarisenDev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien Harisen
 
DevOps culture, concepte , philosophie and practices
DevOps culture, concepte , philosophie and practicesDevOps culture, concepte , philosophie and practices
DevOps culture, concepte , philosophie and practices
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
 
DevOps and Devsecops.pdf
DevOps and Devsecops.pdfDevOps and Devsecops.pdf
DevOps and Devsecops.pdf
 
DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.
 
How to implement DevOps for Enterprise
How to implement DevOps for EnterpriseHow to implement DevOps for Enterprise
How to implement DevOps for Enterprise
 

Mais de Mohammed A. Imran

Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsAutomating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
Mohammed A. Imran
 
In graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challengesIn graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challenges
Mohammed A. Imran
 

Mais de Mohammed A. Imran (12)

Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsAutomating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities
 
In graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challengesIn graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challenges
 
Null Singapore 2015 accomplishments
Null Singapore 2015 accomplishmentsNull Singapore 2015 accomplishments
Null Singapore 2015 accomplishments
 
Exploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null SingaporeExploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null Singapore
 
Null Singapore Introduction
Null Singapore Introduction Null Singapore Introduction
Null Singapore Introduction
 
Pentesting RESTful webservices
Pentesting RESTful webservicesPentesting RESTful webservices
Pentesting RESTful webservices
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defenses
 
Assembly language part I
Assembly language part IAssembly language part I
Assembly language part I
 
How to secure web applications
How to secure web applicationsHow to secure web applications
How to secure web applications
 
About Null open security community
About Null open security communityAbout Null open security community
About Null open security community
 
How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilities
 

Último

+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
masabamasaba
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
Papp Krisztián
 

Último (20)

+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
 
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptx
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaS
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open SourceWSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go Platformless
 

Strengthen and Scale Security Using DevSecOps - OWASP Indonesia

  • 1. Strengthen and Scale security using DevSecOps @secfigoɂ www.teachera.io secfigo@gmail.com OWASP Indonesia Meetup
  • 2. 2 Mohammed A. Imran Senior Security Engineer # whoami Author, Speaker and Community Leader. Speaker/Trainer at Blackhat, AppSec EU, Pycon, All Day DevOps, DevSecCon London, DevSecCon Singapore, Nullcon etc., Organizer of DevSecOps Track in OSS 2018. Project Leader for OWASP DevSecOps Studio, DevSlop, Integra and Awesome-Fuzzing projects. Organised around 100 monthly security meetings and about 50 workshops. SCJP, OSCP, OSCE. AWS-CP, AWS-CSA, AWS-SS
  • 4. Long Long time ago Trivia: how is this related to Singapore ?
  • 5. 5 Traditional SDLC Requirements Gather Requirements from the client/customer Implementation Implement the design agreed upon Maintain Maintain of the software in production Deploy Deploy the software to the production Design Design the software according to the requirements
  • 7. 7 Enter the change Agile Everything changed after agile, much shorter development cycles and faster deploys to production. Speed with which changes are being made is beyond security’s (operations) 🚨 reach. Then Agile Happened
  • 9. 9 DevOps is a set of practices intended to reduce the time between committing a change to a system and the change being placed into normal production, while ensuring high quality - Bass, Weber, and Zhu DevOps Development (Software Engineering) Operations (Quality Assurance) DevOps
  • 10. D 10 Plan & Create Plan and implement the code using source code management (SCM) A Monitor Create Verify Package Release Configure DevOps Verify Test and verify the code does, what business wants. B Package Package the code in a deployable artifact & test it in staging environment C Release Release the artefact as production ready after change/release approvals Configure Configure the application/ stack using configuration management E Monitor Monitor the application for its performance, security and compliance F DevOps Cycle
  • 11.
  • 15. 15 Security is Outnumbered! Dev / Ops / Security 100 / 10 / 1
  • 16. 16 DevOps is a set of practices intended to reduce the time between committing a change to a system and the change being placed into normal production, while ensuring high quality - Bass, Weber, and Zhu By definition, security is part of DevOps. DevSecOps Development (Software Engineering) Security (Quality Assurance) Operations DevSecOps
  • 17. 17 Flexibility With ever changing technology, businesses have to be flexible and fast to deliver value to their customers otherwise they risk losing the business. Reliability Customers need more reliable & available systems. DevOps reduces failure rates and provides faster feedback Resilience DevOps helps organisations in designing and implementing resilient systems. Automation Automation helps to reduce complexity of modern systems and can scale as per needs Speed Speed is competitive advantage and DevOps helps to go to market faster. Development Security (Quality Assurance) Operations DevSecOps DevSecOps Benefits
  • 18. 18 Culture DevOps is about breaking down barriers between teams; without culture other practices fail C A M S Measurement Measuring activities in CI/CD helps in informed decision making among teams Automation Often mistaken as DevOps itself but a very important aspect of the initiative. Sharing Sharing tools, best practices etc., among the teams/organization improves confidence for collaboration. How to DevSecOps ? Core Values of DevOps
  • 20. Build guard rails, not gates! Embed security early and often
  • 21. Conway’s Law Any organization that designs a system (defined broadly) will produce a design whose structure is a copy of the organization's communication structure. “
  • 23. 23 CI/CD CODEPLAN BUILD TEST RELEASE Deploy OPERATE Requirements Code Repository CI Server Integration Testing CD Orchestration MonitorArtefact Repository Functional req. Non Functional req. Design Code Branching Third party components Hooks Compile Basic tests Lint(analyze) Package Security Integration Performance Security Test on staging Release Schedule Configuration Inventory Infrastructure Metrics Monitoring Alerting
  • 24. Agile Development Continuous Integration Continuous Delivery Continuous Deployment DevOps/DevSecOps CODEPLAN BUILD TEST RELEASE Deploy OPERATE Requirements Code Repository CI Server Integration Testing CD Orchestration MonitorArtefact Repository
  • 26. 26 DevSecOps Implementation So far we have looked at Principles and Ideas behind DevSecOps but how do we start implementing DevSecOps ? We can use the techniques ( see towards your right hand side) discussed in this course to implement a full blown security pipeline. Everything as Code(EAC Compliance as Code and hardening via configuration management systems Secure by Default Use secure by default frameworks and services Shift Security Left Use CI/CD pipeline to embed security Self Service Gives developers and operations visibility into security activities Security Champions Encourage security champions to pick security tasks. Use maturity models Use DevSecOps Maturity Models to improve further
  • 27. 1. Shift Security left Use CI/CD pipeline to embed security early on
  • 28. CODEPLAN BUILD TEST RELEASE Deploy OPERATE Requirements Code Repository CI Server Integration Testing CD Orchestration MonitorArtefact Repository Functional req. Non Functional req. Design Code Branching Third party components Hooks Compile Basic tests Lint(Analyze) Package Security Integration Performance Security Test on staging Release Schedule Configuration Inventory Infrastructure Metrics Monitoring Alerting DevOps: Typical Activities
  • 29. Threat Modelling ASVS Git secrets Dependency Scanning Dependency Scanning Code Analysis(SAST) Security Unit Tests Docker security Testing Git secrets scanning Component scanning ZAP testing - baseline Container Scanning Modsecurity CRS Docker/Third Party SSL scanning Nikto/dirbuster WPScan/JoomScan ZAP + selenium + python Component scanning Docker Benchmark System Hardening Application Hardening Compliance as code SOC with ELK Verify Controls CODEPLAN BUILD TEST RELEASE Deploy OPERATE Requirements Code Repository CI Server Integration Testing CD Orchestration MonitoringArtefact Repository DevOps: Typical Security Activities
  • 30. 2. Self Service Gives developers and operations visibility into security activities
  • 31. 3. Security as Code (EaC) Compliance as Code and hardening via configuration management systems
  • 32. 4. Secure by default Use secure by default frameworks and services
  • 34. DevSecOps Maturity Model (DSOMM) Source: https://www.slideshare.net/cschneider4711/hackpra-2015-security-devops-free-pentesters-time-to-focus-on-highhanging-fruits
  • 35. DevSecOps Maturity Model (DSOMM) Static Depth: How deep is static code analysis ? Dynamic Depth:  How deep are dynamic scans executed ? Intensity:  How intense are the majority of the executed attacks ? Consolidation:  How complete is the process of handling findings ? Source: https://www.slideshare.net/cschneider4711/hackpra-2015-security-devops-free-pentesters-time-to-focus-on-highhanging-fruits
  • 36. 36 Security Tools in CI/CD 1. Anything which takes more than 10 minutes (me being optimistic), isn’t fit for CI/CD 2. SAST/DAST without creating custom rules/tweaks is of not huge benefit down the line. 3. Create separate jobs for easy debugging later. 4. Roll out tools in phases. 5. Fail builds when critical/high severity issues are found (after you have given devs/ops enough time to learn and get used to the security tools) 6. Link wiki in the scan outputs if someone needs some answers. 7. Tools which provide APIs are huge wins but make sure you at least have a CLI 8. See if your tools does incremental/baseline scans. 9. Some Ability to control the scope and false positives locally is nice (see brakeman/zap/dependency checker). 10. When in doubt ask Developers/QA for the help. 11. Everything as Code (EaC). Auditable, measurable and secure
  • 38. 38 DevSecOps Studio is a virtual environment to learn and teach DevSecOps concepts. Its easy to get started and is mostly automatic. It takes lots of efforts to setup a DevSecOps environment for training/demos and more often, its error prone when done manually. OWASP DevSecOps Studio https://github.com/teacheraio/DevSecOps-Studio/
  • 39. 39 Easy to setup Takes only few mins to setup and start using with just one command A Reproducible The aim of this project is to setup reproducible DevSecOps Lab environment for learning and testing different tools. B Free & Open Source Software This project is a free and open software to help more people learn about DevSecOps C DevSecOps Studio Benefits
  • 40. 40 Our Setup for On-Premise GITLABDeveloper(s) > > >Gitlab CI/CD RUNNER PROD SERVER > Push Code to git repo Triggers Build Run tests Deploys to Production
  • 41. 41 Our Setup for On-Premise Developer(s) > > >JEnkins CI/CD JENKINS SLAVE PROD SERVER > Push Code to git repo Triggers Build Run tests Deploys to Production GITLAB
  • 42. 42 Python security tools Security Test Tool SAST Bandit DAST ZAP Baseline Hardening Ansible Compliance Inspec Git Secrets Trufflehog
  • 43. 43 Conclusion In conclusion, we don't need large sums of money to implement DevSecOps. We can use free and open source tools to showcase the benefits and value DevSecOps provides to the organization(s). Go on, embed security as part of CI/CD Everything as Code(EAC Use Configuration management (IaC) to implement Security as Code Secure by Default Use secure by default frameworks and services Shift Security Left Use CI/CD pipeline to embed security early on Self Service Give developers and operations visibility into security activities/tools Security Champions Encourage security champions to pick security tasks. Use maturity models Use DevSecOps Maturity Models to improve further
  • 44. Thank you! You folks are awesome. @secfigoɂ www.teachera.io secfigo@gmail.com